Skip to content

Commit

Permalink
Add new environment variable REDIS_TLS_CA_DIR to [bitnami/redis] in o…
Browse files Browse the repository at this point in the history 
…rder to support tls-ca-cert-dir config in redis.conf

Add new environment variable REDIS_TLS_CA_DIR to [bitnami/redis] in order to support tls-ca-cert-dir config in redis.conf

Signed-off-by: Uche Nebed <[email protected]>
  • Loading branch information
@nebed
nebed committed Feb 5, 2024
1 parent f324f50 commit ef9ce1d
Show file tree
Hide file tree
Showing 7 changed files with 39 additions and 9 deletions.
13 changes: 10 additions & 3 deletions bitnami/redis/6.2/debian-11/rootfs/opt/bitnami/scripts/libredis.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -228,7 +228,11 @@ redis_validate() {
print_validation_error "The private key file in the specified path ${REDIS_TLS_KEY_FILE} does not exist"
fi
if [[ -z "$REDIS_TLS_CA_FILE" ]]; then
print_validation_error "You must provide a CA X.509 certificate in order to use TLS"
if [[ -z "$REDIS_TLS_CA_DIR" ]]; then
print_validation_error "You must provide either a CA X.509 certificate or a CA certificates directory in order to use TLS"
elif [[ ! -d "$REDIS_TLS_CA_DIR" ]]; then
print_validation_error "The CA certificates directory specified by path ${REDIS_TLS_CA_DIR} does not exist"
fi
elif [[ ! -f "$REDIS_TLS_CA_FILE" ]]; then
print_validation_error "The CA X.509 certificate file in the specified path ${REDIS_TLS_CA_FILE} does not exist"
fi
Expand Down Expand Up @@ -265,7 +269,9 @@ redis_configure_replication() {
elif [[ "$REDIS_REPLICATION_MODE" =~ ^(slave|replica)$ ]]; then
if [[ -n "$REDIS_SENTINEL_HOST" ]]; then
local -a sentinel_info_command=("redis-cli" "-h" "${REDIS_SENTINEL_HOST}" "-p" "${REDIS_SENTINEL_PORT_NUMBER}")
is_boolean_yes "$REDIS_TLS_ENABLED" && sentinel_info_command+=("--tls" "--cert" "${REDIS_TLS_CERT_FILE}" "--key" "${REDIS_TLS_KEY_FILE}" "--cacert" "${REDIS_TLS_CA_FILE}")
is_boolean_yes "$REDIS_TLS_ENABLED" && sentinel_info_command+=("--tls" "--cert" "${REDIS_TLS_CERT_FILE}" "--key" "${REDIS_TLS_KEY_FILE}")
is_empty_value "$REDIS_TLS_CA_FILE" && sentinel_info_command+=("--cacertdir" "${REDIS_TLS_CA_DIR}")
! is_empty_value "$REDIS_TLS_CA_FILE" && sentinel_info_command+=("--cacert" "${REDIS_TLS_CA_FILE}")
sentinel_info_command+=("sentinel" "get-master-addr-by-name" "${REDIS_SENTINEL_MASTER_NAME}")
read -r -a REDIS_SENTINEL_INFO <<< "$("${sentinel_info_command[@]}" | tr '\n' ' ')"
REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]}
Expand Down Expand Up @@ -431,7 +437,8 @@ redis_configure_default() {
fi
redis_conf_set tls-cert-file "$REDIS_TLS_CERT_FILE"
redis_conf_set tls-key-file "$REDIS_TLS_KEY_FILE"
redis_conf_set tls-ca-cert-file "$REDIS_TLS_CA_FILE"
! is_empty_value "$REDIS_TLS_CA_FILE" && redis_conf_set tls-ca-cert-file "$REDIS_TLS_CA_FILE"
is_empty_value "$REDIS_TLS_CA_FILE" && redis_conf_set tls-ca-cert-dir "$REDIS_TLS_CA_DIR"
! is_empty_value "$REDIS_TLS_KEY_FILE_PASS" && redis_conf_set tls-key-file-pass "$REDIS_TLS_KEY_FILE_PASS"
[[ -n "$REDIS_TLS_DH_PARAMS_FILE" ]] && redis_conf_set tls-dh-params-file "$REDIS_TLS_DH_PARAMS_FILE"
redis_conf_set tls-auth-clients "$REDIS_TLS_AUTH_CLIENTS"
Expand Down
2 changes: 2 additions & 0 deletions bitnami/redis/6.2/debian-11/rootfs/opt/bitnami/scripts/redis-env.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ redis_env_vars=(
REDIS_TLS_KEY_FILE
REDIS_TLS_KEY_FILE_PASS
REDIS_TLS_CA_FILE
REDIS_TLS_CA_DIR
REDIS_TLS_DH_PARAMS_FILE
REDIS_TLS_AUTH_CLIENTS
REDIS_SENTINEL_MASTER_NAME
Expand Down Expand Up @@ -120,6 +121,7 @@ export REDIS_TLS_CERT_FILE="${REDIS_TLS_CERT_FILE:-}"
export REDIS_TLS_KEY_FILE="${REDIS_TLS_KEY_FILE:-}"
export REDIS_TLS_KEY_FILE_PASS="${REDIS_TLS_KEY_FILE_PASS:-}"
export REDIS_TLS_CA_FILE="${REDIS_TLS_CA_FILE:-}"
export REDIS_TLS_CA_DIR="${REDIS_TLS_CA_DIR:-}"
export REDIS_TLS_DH_PARAMS_FILE="${REDIS_TLS_DH_PARAMS_FILE:-}"
export REDIS_TLS_AUTH_CLIENTS="${REDIS_TLS_AUTH_CLIENTS:-yes}"

Expand Down
13 changes: 10 additions & 3 deletions bitnami/redis/7.0/debian-11/rootfs/opt/bitnami/scripts/libredis.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -228,7 +228,11 @@ redis_validate() {
print_validation_error "The private key file in the specified path ${REDIS_TLS_KEY_FILE} does not exist"
fi
if [[ -z "$REDIS_TLS_CA_FILE" ]]; then
print_validation_error "You must provide a CA X.509 certificate in order to use TLS"
if [[ -z "$REDIS_TLS_CA_DIR" ]]; then
print_validation_error "You must provide either a CA X.509 certificate or a CA certificates directory in order to use TLS"
elif [[ ! -d "$REDIS_TLS_CA_DIR" ]]; then
print_validation_error "The CA certificates directory specified by path ${REDIS_TLS_CA_DIR} does not exist"
fi
elif [[ ! -f "$REDIS_TLS_CA_FILE" ]]; then
print_validation_error "The CA X.509 certificate file in the specified path ${REDIS_TLS_CA_FILE} does not exist"
fi
Expand Down Expand Up @@ -265,7 +269,9 @@ redis_configure_replication() {
elif [[ "$REDIS_REPLICATION_MODE" =~ ^(slave|replica)$ ]]; then
if [[ -n "$REDIS_SENTINEL_HOST" ]]; then
local -a sentinel_info_command=("redis-cli" "-h" "${REDIS_SENTINEL_HOST}" "-p" "${REDIS_SENTINEL_PORT_NUMBER}")
is_boolean_yes "$REDIS_TLS_ENABLED" && sentinel_info_command+=("--tls" "--cert" "${REDIS_TLS_CERT_FILE}" "--key" "${REDIS_TLS_KEY_FILE}" "--cacert" "${REDIS_TLS_CA_FILE}")
is_boolean_yes "$REDIS_TLS_ENABLED" && sentinel_info_command+=("--tls" "--cert" "${REDIS_TLS_CERT_FILE}" "--key" "${REDIS_TLS_KEY_FILE}")
is_empty_value "$REDIS_TLS_CA_FILE" && sentinel_info_command+=("--cacertdir" "${REDIS_TLS_CA_DIR}")
! is_empty_value "$REDIS_TLS_CA_FILE" && sentinel_info_command+=("--cacert" "${REDIS_TLS_CA_FILE}")
sentinel_info_command+=("sentinel" "get-master-addr-by-name" "${REDIS_SENTINEL_MASTER_NAME}")
read -r -a REDIS_SENTINEL_INFO <<< "$("${sentinel_info_command[@]}" | tr '\n' ' ')"
REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]}
Expand Down Expand Up @@ -431,7 +437,8 @@ redis_configure_default() {
fi
redis_conf_set tls-cert-file "$REDIS_TLS_CERT_FILE"
redis_conf_set tls-key-file "$REDIS_TLS_KEY_FILE"
redis_conf_set tls-ca-cert-file "$REDIS_TLS_CA_FILE"
! is_empty_value "$REDIS_TLS_CA_FILE" && redis_conf_set tls-ca-cert-file "$REDIS_TLS_CA_FILE"
is_empty_value "$REDIS_TLS_CA_FILE" && redis_conf_set tls-ca-cert-dir "$REDIS_TLS_CA_DIR"
! is_empty_value "$REDIS_TLS_KEY_FILE_PASS" && redis_conf_set tls-key-file-pass "$REDIS_TLS_KEY_FILE_PASS"
[[ -n "$REDIS_TLS_DH_PARAMS_FILE" ]] && redis_conf_set tls-dh-params-file "$REDIS_TLS_DH_PARAMS_FILE"
redis_conf_set tls-auth-clients "$REDIS_TLS_AUTH_CLIENTS"
Expand Down
2 changes: 2 additions & 0 deletions bitnami/redis/7.0/debian-11/rootfs/opt/bitnami/scripts/redis-env.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ redis_env_vars=(
REDIS_TLS_KEY_FILE
REDIS_TLS_KEY_FILE_PASS
REDIS_TLS_CA_FILE
REDIS_TLS_CA_DIR
REDIS_TLS_DH_PARAMS_FILE
REDIS_TLS_AUTH_CLIENTS
REDIS_SENTINEL_MASTER_NAME
Expand Down Expand Up @@ -120,6 +121,7 @@ export REDIS_TLS_CERT_FILE="${REDIS_TLS_CERT_FILE:-}"
export REDIS_TLS_KEY_FILE="${REDIS_TLS_KEY_FILE:-}"
export REDIS_TLS_KEY_FILE_PASS="${REDIS_TLS_KEY_FILE_PASS:-}"
export REDIS_TLS_CA_FILE="${REDIS_TLS_CA_FILE:-}"
export REDIS_TLS_CA_DIR="${REDIS_TLS_CA_DIR:-}"
export REDIS_TLS_DH_PARAMS_FILE="${REDIS_TLS_DH_PARAMS_FILE:-}"
export REDIS_TLS_AUTH_CLIENTS="${REDIS_TLS_AUTH_CLIENTS:-yes}"

Expand Down
13 changes: 10 additions & 3 deletions bitnami/redis/7.2/debian-11/rootfs/opt/bitnami/scripts/libredis.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -228,7 +228,11 @@ redis_validate() {
print_validation_error "The private key file in the specified path ${REDIS_TLS_KEY_FILE} does not exist"
fi
if [[ -z "$REDIS_TLS_CA_FILE" ]]; then
print_validation_error "You must provide a CA X.509 certificate in order to use TLS"
if [[ -z "$REDIS_TLS_CA_DIR" ]]; then
print_validation_error "You must provide either a CA X.509 certificate or a CA certificates directory in order to use TLS"
elif [[ ! -d "$REDIS_TLS_CA_DIR" ]]; then
print_validation_error "The CA certificates directory specified by path ${REDIS_TLS_CA_DIR} does not exist"
fi
elif [[ ! -f "$REDIS_TLS_CA_FILE" ]]; then
print_validation_error "The CA X.509 certificate file in the specified path ${REDIS_TLS_CA_FILE} does not exist"
fi
Expand Down Expand Up @@ -265,7 +269,9 @@ redis_configure_replication() {
elif [[ "$REDIS_REPLICATION_MODE" =~ ^(slave|replica)$ ]]; then
if [[ -n "$REDIS_SENTINEL_HOST" ]]; then
local -a sentinel_info_command=("redis-cli" "-h" "${REDIS_SENTINEL_HOST}" "-p" "${REDIS_SENTINEL_PORT_NUMBER}")
is_boolean_yes "$REDIS_TLS_ENABLED" && sentinel_info_command+=("--tls" "--cert" "${REDIS_TLS_CERT_FILE}" "--key" "${REDIS_TLS_KEY_FILE}" "--cacert" "${REDIS_TLS_CA_FILE}")
is_boolean_yes "$REDIS_TLS_ENABLED" && sentinel_info_command+=("--tls" "--cert" "${REDIS_TLS_CERT_FILE}" "--key" "${REDIS_TLS_KEY_FILE}")
is_empty_value "$REDIS_TLS_CA_FILE" && sentinel_info_command+=("--cacertdir" "${REDIS_TLS_CA_DIR}")
! is_empty_value "$REDIS_TLS_CA_FILE" && sentinel_info_command+=("--cacert" "${REDIS_TLS_CA_FILE}")
sentinel_info_command+=("sentinel" "get-master-addr-by-name" "${REDIS_SENTINEL_MASTER_NAME}")
read -r -a REDIS_SENTINEL_INFO <<< "$("${sentinel_info_command[@]}" | tr '\n' ' ')"
REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]}
Expand Down Expand Up @@ -431,7 +437,8 @@ redis_configure_default() {
fi
redis_conf_set tls-cert-file "$REDIS_TLS_CERT_FILE"
redis_conf_set tls-key-file "$REDIS_TLS_KEY_FILE"
redis_conf_set tls-ca-cert-file "$REDIS_TLS_CA_FILE"
! is_empty_value "$REDIS_TLS_CA_FILE" && redis_conf_set tls-ca-cert-file "$REDIS_TLS_CA_FILE"
is_empty_value "$REDIS_TLS_CA_FILE" && redis_conf_set tls-ca-cert-dir "$REDIS_TLS_CA_DIR"
! is_empty_value "$REDIS_TLS_KEY_FILE_PASS" && redis_conf_set tls-key-file-pass "$REDIS_TLS_KEY_FILE_PASS"
[[ -n "$REDIS_TLS_DH_PARAMS_FILE" ]] && redis_conf_set tls-dh-params-file "$REDIS_TLS_DH_PARAMS_FILE"
redis_conf_set tls-auth-clients "$REDIS_TLS_AUTH_CLIENTS"
Expand Down
2 changes: 2 additions & 0 deletions bitnami/redis/7.2/debian-11/rootfs/opt/bitnami/scripts/redis-env.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ redis_env_vars=(
REDIS_TLS_KEY_FILE
REDIS_TLS_KEY_FILE_PASS
REDIS_TLS_CA_FILE
REDIS_TLS_CA_DIR
REDIS_TLS_DH_PARAMS_FILE
REDIS_TLS_AUTH_CLIENTS
REDIS_SENTINEL_MASTER_NAME
Expand Down Expand Up @@ -120,6 +121,7 @@ export REDIS_TLS_CERT_FILE="${REDIS_TLS_CERT_FILE:-}"
export REDIS_TLS_KEY_FILE="${REDIS_TLS_KEY_FILE:-}"
export REDIS_TLS_KEY_FILE_PASS="${REDIS_TLS_KEY_FILE_PASS:-}"
export REDIS_TLS_CA_FILE="${REDIS_TLS_CA_FILE:-}"
export REDIS_TLS_CA_DIR="${REDIS_TLS_CA_DIR:-}"
export REDIS_TLS_DH_PARAMS_FILE="${REDIS_TLS_DH_PARAMS_FILE:-}"
export REDIS_TLS_AUTH_CLIENTS="${REDIS_TLS_AUTH_CLIENTS:-yes}"

Expand Down
3 changes: 3 additions & 0 deletions bitnami/redis/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -476,9 +476,12 @@ Starting with version 6, Redis(R) adds the support for SSL/TLS connections. Shou
* `REDIS_TLS_CERT_FILE`: File containing the certificate file for the TLS traffic. No defaults.
* `REDIS_TLS_KEY_FILE`: File containing the key for certificate. No defaults.
* `REDIS_TLS_CA_FILE`: File containing the CA of the certificate. No defaults.
* `REDIS_TLS_CA_DIR`: Directory containing the CA certificates. No defaults.
* `REDIS_TLS_DH_PARAMS_FILE`: File containing DH params (in order to support DH based ciphers). No defaults.
* `REDIS_TLS_AUTH_CLIENTS`: Whether to require clients to authenticate or not. Defaults to `yes`.

When both `REDIS_TLS_CA_FILE` and `REDIS_TLS_CA_DIR` are set, `REDIS_TLS_CA_FILE` is used preferentially.

When enabling TLS, conventional standard traffic is disabled by default. However this new feature is not mutually exclusive, which means it is possible to listen to both TLS and non-TLS connection simultaneously. To enable non-TLS traffic, set `REDIS_TLS_PORT_NUMBER` to another port different than `0`.

1. Using `docker run`
Expand Down

0 comments on commit ef9ce1d

Please sign in to comment.